Vulnerable Library - acorn-6.4.0.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-6.4.0.tgz

Dependency Hierarchy:

Found in HEAD commit: a40cb6cb8792709af22db74e8cf95f0f9e56cedf

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-08

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-08

Fix Resolution: 7.1.1

Vulnerable Libraries - kind-of-3.2.2.tgz, kind-of-4.0.0.tgz, kind-of-6.0.2.tgz, kind-of-5.1.0.tgz

Found in HEAD commit: 1edff4aa28097191fcdc4e70f4b79abc610f5356

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Vulnerable Library - serialize-javascript-2.1.2.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz

Path to dependency file: /tmp/ws-scm/basic-vue-sibling/package.json

Path to vulnerable library: /tmp/ws-scm/basic-vue-sibling/node_modules/serialize-javascript/package.json,/tmp/ws-scm/basic-vue-sibling/node_modules/copy-webpack-plugin/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• cli-service-4.4.6.tgz (Root Library)
  • copy-webpack-plugin-5.1.1.tgz
    • ❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)

Found in HEAD commit: e248a1bf63f8561d013059a11c37a43816232613

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-01

Fix Resolution: serialize-javascript - 3.1.0

Vulnerable Libraries - qs-6.5.2.tgz, qs-6.7.0.tgz

Found in HEAD commit: 7352a271cd9b2dd942c262bc566cb90b88aa589e

Found in base branch: master

Vulnerability Details

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.

Publish Date: 2022-03-17

URL: CVE-2021-44907

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44907

Release Date: 2022-03-17

Fix Resolution: qs - 6.8.1

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 7352a271cd9b2dd942c262bc566cb90b88aa589e

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Vulnerable Library - browserslist-4.16.3.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/browserslist/package.json

Dependency Hierarchy:

• cli-service-4.5.13.tgz (Root Library)
  • ❌ browserslist-4.16.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: basic-vue-sibling/package.json

Path to vulnerable library: basic-vue-sibling/node_modules/copy-webpack-plugin/node_modules/glob-parent/package.json,basic-vue-sibling/node_modules/webpack-dev-server/node_modules/glob-parent/package.json,basic-vue-sibling/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json,basic-vue-sibling/node_modules/fast-glob/node_modules/glob-parent/package.json

Dependency Hierarchy:

• cli-service-4.5.13.tgz (Root Library)
  • copy-webpack-plugin-5.1.2.tgz
    • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 854271c1285a357b179dc4dce834a7145f0a564e

Found in base branch: master

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.

Publish Date: 2021-01-27

URL: WS-2021-0154

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2

Release Date: 2021-01-27

Fix Resolution: glob-parent - 5.1.2

Vulnerable Library - url-parse-1.5.1.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • webpack-dev-server-3.11.2.tgz
    • sockjs-client-1.5.1.tgz
      • ❌ url-parse-1.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.

Publish Date: 2022-02-17

URL: CVE-2022-0639

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639

Release Date: 2022-02-17

Fix Resolution (url-parse): 1.5.7

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • webpack-dev-server-3.11.2.tgz
    • selfsigned-1.10.11.tgz
      • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Vulnerable Library - url-parse-1.5.1.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • webpack-dev-server-3.11.2.tgz
    • sockjs-client-1.5.1.tgz
      • ❌ url-parse-1.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Publish Date: 2022-02-20

URL: CVE-2022-0686

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686

Release Date: 2022-02-20

Fix Resolution (url-parse): 1.5.8

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Vulnerable Library - ssri-6.0.1.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ssri/package.json

Dependency Hierarchy:

• cli-service-4.5.13.tgz (Root Library)
  • copy-webpack-plugin-5.1.2.tgz
    • cacache-12.0.4.tgz
      • ❌ ssri-6.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 3997eac951ab5c0ef47f187a9135e1f0fb07c40a

Found in base branch: master

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-vx3p-948g-6vhq

Release Date: 2021-03-12

Fix Resolution: ssri - 6.0.2,7.1.1,8.0.1

Vulnerable Library - url-parse-1.5.1.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • webpack-dev-server-3.11.2.tgz
    • sockjs-client-1.5.1.tgz
      • ❌ url-parse-1.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/basic-vue-sibling/node_modules/sockjs/examples/express-3.x/index.html

Path to vulnerable library: /basic-vue-sibling/node_modules/sockjs/examples/express-3.x/index.html,/basic-vue-sibling/node_modules/sockjs/examples/express/index.html,/basic-vue-sibling/node_modules/sockjs/examples/echo/index.html,/basic-vue-sibling/node_modules/sockjs/examples/hapi/html/index.html,/basic-vue-sibling/node_modules/sockjs/examples/multiplex/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 33a0d75f5055ee37ce221d07ef926045a0b01574

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • webpack-dev-server-3.11.2.tgz
    • selfsigned-1.10.11.tgz
      • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: /tmp/ws-scm/basic-vue-sibling/package.json

Path to vulnerable library: /tmp/ws-scm/basic-vue-sibling/node_modules/dot-prop/package.json

Dependency Hierarchy:

• @vue/cli-service-4.2.0.tgz (Root Library)
  • optimize-cssnano-plugin-1.0.6.tgz
    • cssnano-preset-default-4.0.7.tgz
      • postcss-merge-rules-4.0.3.tgz
        • postcss-selector-parser-3.1.1.tgz
          • ❌ dot-prop-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: ab84b7e15f76255a524336f7a39b9ec2d4b2975b

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: basic-vue-sibling/package.json

Path to vulnerable library: basic-vue-sibling/node_modules/y18n/package.json

Dependency Hierarchy:

• cli-service-4.5.9.tgz (Root Library)
  • cli-highlight-2.1.4.tgz
    • yargs-15.4.1.tgz
      • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 3bc4fe907c3087308feb0e3a3e5e0444f4a3ab6e

Found in base branch: master

Vulnerability Details

This affects the package y18n before 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774

Release Date: 2020-11-17

Fix Resolution: 5.0.5

• ❌ WhiteSource Security Check: Oops! An error occurred while running the Security Check.

🐛 Bug Fixes

• #962 Fixed false positives inside the ternary operator in no-async-in-computed-properties.
• #963 Fixed an issue that caused an error when extra commas were included in require-prop-type-constructor.
• #1009 Fixed an issue that code was broken by autofix of require-prop-type-constructor.
• #1010 Fixed broken links in messages.

All commits: v6.0.1 -> v6.0.2

The new version differs by 7 commits.

• 2e75458 version 6.0.2
• 959298f Fixed broken links. (#1010)
• 4476263 Fixed a bug that source code is broken by autofix of require-prop-type-constructor. (#1009)
• acb48eb Fixed lint error on CI (#1008)
• 2418da7 Fixed an issue that caused an error when extra commas were included in require-prop-type-constructor (#963)
• b412783 Fixed false positives inside the ternary operator in no-async-in-computed-properties (#962)
• e8f130c Typescript doc for vue/html-indent (#989)

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Library - ajv-6.10.2.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.2.tgz

Dependency Hierarchy:

• eslint-6.7.2.tgz (Root Library)
  • ❌ ajv-6.10.2.tgz (Vulnerable Library)

Found in HEAD commit: acb3ab1e71d0faadfc8366774100727ae9ecb2af

Found in base branch: master

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3

Release Date: 2020-07-15

Fix Resolution: ajv - 6.12.3

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/basic-vue-sibling/node_modules/sockjs/examples/express-3.x/index.html

Path to vulnerable library: /basic-vue-sibling/node_modules/sockjs/examples/express-3.x/index.html,/basic-vue-sibling/node_modules/sockjs/examples/express/index.html,/basic-vue-sibling/node_modules/sockjs/examples/echo/index.html,/basic-vue-sibling/node_modules/sockjs/examples/hapi/html/index.html,/basic-vue-sibling/node_modules/sockjs/examples/multiplex/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 33a0d75f5055ee37ce221d07ef926045a0b01574

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

• ❌ WhiteSource Security Check: The Security Check found 3 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	6.1	CVE-2015-9251	#4
Medium	6.1	CVE-2012-6708	#3
Medium	4.3	WS-2016-0090	#5

The new version differs by 2 commits.

• 4bd049e 10.1.0
• 2c754a8 Update Babel to ^7.7.0 and enable Flow enums parsing (#812)

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/basic-vue-sibling/node_modules/sockjs/examples/express-3.x/index.html

Path to vulnerable library: /basic-vue-sibling/node_modules/sockjs/examples/express-3.x/index.html,/basic-vue-sibling/node_modules/sockjs/examples/express/index.html,/basic-vue-sibling/node_modules/sockjs/examples/echo/index.html,/basic-vue-sibling/node_modules/sockjs/examples/hapi/html/index.html,/basic-vue-sibling/node_modules/sockjs/examples/multiplex/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: 33a0d75f5055ee37ce221d07ef926045a0b01574

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Vulnerable Library - yargs-parser-11.1.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz

Path to dependency file: /tmp/ws-scm/basic-vue-sibling/package.json

Path to vulnerable library: /tmp/ws-scm/basic-vue-sibling/node_modules/webpack-dev-server/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• cli-service-4.3.0.tgz (Root Library)
  • webpack-dev-server-3.10.3.tgz
    • yargs-12.0.5.tgz
      • ❌ yargs-parser-11.1.1.tgz (Vulnerable Library)

Found in HEAD commit: d4fa973a1deb6251248ff51a601892687829c23d

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • webpack-dev-server-3.11.2.tgz
    • selfsigned-1.10.11.tgz
      • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

• ❌ WhiteSource Security Check: The Security Check found 3 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	6.1	CVE-2015-9251	#4
Medium	6.1	CVE-2012-6708	#3
Medium	4.3	WS-2016-0090	#5

🐛 Bug Fix

• @vue/cli-plugin-typescript
  • #4894 fix: fix tsx compilation (@sodatea)

Committers: 1

• Haoqun Jiang (@sodatea)

The new version differs by 3 commits.

• 2ddcc65 v4.1.1
• dd98fa6 fix: fix tsx compilation (#4894)
• d21245d workflow: correctly decide which dist-tag to use

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Library - url-parse-1.5.1.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • webpack-dev-server-3.11.2.tgz
    • sockjs-client-1.5.1.tgz
      • ❌ url-parse-1.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

url-parse is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2021-07-26

URL: CVE-2021-3664

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664

Release Date: 2021-07-26

Fix Resolution (url-parse): 1.5.2

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Vulnerable Libraries - normalize-url-1.9.1.tgz, normalize-url-3.3.0.tgz

Found in HEAD commit: 854271c1285a357b179dc4dce834a7145f0a564e

Found in base branch: master

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Dependency Hierarchy:

• eslint-6.7.2.tgz (Root Library)
  • ❌ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: acb3ab1e71d0faadfc8366774100727ae9ecb2af

Found in base branch: master

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

• cli-plugin-babel-4.5.17.tgz (Root Library)
  • cli-shared-utils-4.5.17.tgz
    • request-2.88.2.tgz
      • http-signature-1.2.0.tgz
        • jsprim-1.4.1.tgz
          • ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 7352a271cd9b2dd942c262bc566cb90b88aa589e

Found in base branch: master

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.18

• ❌ WhiteSource Security Check: The Security Check found 3 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	6.1	CVE-2015-9251	#4
Medium	6.1	CVE-2012-6708	#3
Medium	4.3	WS-2016-0090	#5

Security Fixes

• Bump vue-server-renderer's dependency of serialize-javascript to 2.1.2

Bug Fixes

• types: fix prop constructor type inference (#10779) 4821149, closes #10779
• fix function expression regex (#9922) 569b728, closes #9922 #9920
• compiler: Remove the warning for valid v-slot value (#9917) 085d188, closes #9917
• types: fix global namespace declaration for UMD bundle (#9912) ab50e8e, closes #9912

The new version differs by 81 commits.

• ec78fc8 build: release 2.6.11
• a98048f build: build 2.6.11
• fc41f91 chore: update yarn.lock
• 70429c3 build(deps-dev): bump serialize-javascript from 1.3.0 to 2.1.2 (#10914)
• 9fbd416 chore: update sponsors [ci skip] (#10896)
• a974022 chore: update backers [ci skip] (#10895)
• 6b4c0f9 chore: typo in comment
• fd0eaf9 chore: update sponsors [ci skip] (#10841)
• 2c6a827 chore: update sponsors [ci skip] (#10821)
• f796ab4 chore: update sponsors [ci skip] (#10800)
• 276c082 chore: update backers [ci skip] (#10799)
• 4821149 fix(types): fix prop constructor type inference (#10779)
• 9f5563c chore: update sponsors [ci skip]
• b805a19 build(deps-dev): bump lodash.template from 4.4.0 to 4.5.0 (#10636)
• bd47e5b build(deps-dev): bump lodash from 4.17.11 to 4.17.13 (#10635)

There are 81 commits in total.

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Library - url-parse-1.5.1.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • webpack-dev-server-3.11.2.tgz
    • sockjs-client-1.5.1.tgz
      • ❌ url-parse-1.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

Publish Date: 2022-02-14

URL: CVE-2022-0512

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512

Release Date: 2022-02-14

Fix Resolution (url-parse): 1.5.6

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Dependency Hierarchy:

• eslint-6.7.2.tgz (Root Library)
  • ❌ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: acb3ab1e71d0faadfc8366774100727ae9ecb2af

Found in base branch: master

Vulnerability Details

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - follow-redirects-1.14.1.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • webpack-dev-server-3.11.2.tgz
    • http-proxy-middleware-0.19.1.tgz
      • http-proxy-1.18.1.tgz
        • ❌ follow-redirects-1.14.1.tgz (Vulnerable Library)

Found in HEAD commit: 7352a271cd9b2dd942c262bc566cb90b88aa589e

Found in base branch: master

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution (follow-redirects): 1.14.7

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/basic-vue-sibling/package.json

Path to vulnerable library: /tmp/ws-scm/basic-vue-sibling/node_modules/lodash/package.json

Dependency Hierarchy:

• eslint-6.7.2.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: e5a33c2685111877211c5d2bdc84b7515e6ccd4d

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: basic-vue-sibling/package.json

Path to vulnerable library: basic-vue-sibling/node_modules/is-svg/package.json

Dependency Hierarchy:

• cli-service-4.5.12.tgz (Root Library)
  • optimize-cssnano-plugin-1.0.6.tgz
    • cssnano-preset-default-4.0.7.tgz
      • postcss-svgo-4.0.2.tgz
        • ❌ is-svg-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 3997eac951ab5c0ef47f187a9135e1f0fb07c40a

Found in base branch: master

Vulnerability Details

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

Publish Date: 2021-03-12

URL: CVE-2021-28092

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092

Release Date: 2021-03-12

Fix Resolution: v4.2.2

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/copy-webpack-plugin/node_modules/glob-parent/package.json,/node_modules/webpack-dev-server/node_modules/glob-parent/package.json,/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json,/node_modules/fast-glob/node_modules/glob-parent/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • copy-webpack-plugin-5.1.2.tgz
    • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 854271c1285a357b179dc4dce834a7145f0a564e

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Vulnerable Library - ansi-html-0.0.7.tgz

An elegant lib that converts the chalked (ANSI) text to HTML.

Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ansi-html/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • webpack-dev-server-3.11.2.tgz
    • ❌ ansi-html-0.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 7352a271cd9b2dd942c262bc566cb90b88aa589e

Found in base branch: master

Vulnerability Details

This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

Publish Date: 2021-08-18

URL: CVE-2021-23424

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424

Release Date: 2021-08-18

Fix Resolution (ansi-html): 0.0.8

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

• ❌ WhiteSource Security Check: The Security Check found 3 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	6.1	CVE-2015-9251	#4
Medium	6.1	CVE-2012-6708	#3
Medium	4.3	WS-2016-0090	#5

🐛 Bug Fix

• @vue/cli-plugin-typescript
  • #4894 fix: fix tsx compilation (@sodatea)

Committers: 1

• Haoqun Jiang (@sodatea)

The new version differs by 3 commits.

• 2ddcc65 v4.1.1
• dd98fa6 fix: fix tsx compilation (#4894)
• d21245d workflow: correctly decide which dist-tag to use

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

• ❌ WhiteSource Security Check: The Security Check found 3 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	6.1	CVE-2015-9251	#4
Medium	6.1	CVE-2012-6708	#3
Medium	4.3	WS-2016-0090	#5

• dd1e9f4 Fix: revert changes to key-spacing due to regression (#12598) (Kai Cataldo)
• c644b54 Docs: Update README team and sponsors (ESLint Jenkins)

The new version differs by 4 commits.

• af95154 6.7.1
• 9361824 Build: changelog update for 6.7.1
• dd1e9f4 Fix: revert changes to key-spacing due to regression (#12598)
• c644b54 Docs: Update README team and sponsors

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • webpack-dev-server-3.11.2.tgz
    • selfsigned-1.10.11.tgz
      • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24773

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Vulnerable Library - css-what-3.4.2.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/css-what/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • cssnano-4.1.11.tgz
    • cssnano-preset-default-4.0.8.tgz
      • postcss-svgo-4.0.3.tgz
        • svgo-1.3.2.tgz
          • css-select-2.1.0.tgz
            • ❌ css-what-3.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 854271c1285a357b179dc4dce834a7145f0a564e

Found in base branch: master

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution: css-what - 5.0.1

• ❌ WhiteSource Security Check: The Security Check found 3 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	6.1	CVE-2015-9251	#4
Medium	6.1	CVE-2012-6708	#3
Medium	4.3	WS-2016-0090	#5

🐛 Bug Fix

• @vue/cli-plugin-typescript
  • #4894 fix: fix tsx compilation (@sodatea)

Committers: 1

• Haoqun Jiang (@sodatea)

The new version differs by 3 commits.

• 2ddcc65 v4.1.1
• dd98fa6 fix: fix tsx compilation (#4894)
• d21245d workflow: correctly decide which dist-tag to use

See the full diff

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • webpack-dev-server-3.11.2.tgz
    • selfsigned-1.10.11.tgz
      • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /tmp/ws-scm/basic-vue-sibling/package.json

Path to vulnerable library: /tmp/ws-scm/basic-vue-sibling/node_modules/elliptic/package.json

Dependency Hierarchy:

• cli-plugin-babel-4.4.1.tgz (Root Library)
  • webpack-4.43.0.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.2.0.tgz
          • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: e5a33c2685111877211c5d2bdc84b7515e6ccd4d

Vulnerability Details

all versions before 6.5.2 of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ejs/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • webpack-bundle-analyzer-3.9.0.tgz
    • ❌ ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 854271c1285a357b179dc4dce834a7145f0a564e

Found in base branch: master

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-22

Fix Resolution (ejs): 3.1.6

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Vulnerable Library - hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hosted-git-info/package.json

Dependency Hierarchy:

• cli-plugin-babel-4.5.13.tgz (Root Library)
  • cli-shared-utils-4.5.13.tgz
    • read-pkg-5.2.0.tgz
      • normalize-package-data-2.5.0.tgz
        • ❌ hosted-git-info-2.8.8.tgz (Vulnerable Library)

Found in HEAD commit: 3997eac951ab5c0ef47f187a9135e1f0fb07c40a

Found in base branch: master

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution (hosted-git-info): 2.8.9

Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.14

• ❌ WhiteSource Security Check: The Security Check found 3 vulnerabilities.

Severity	CVSS Score	CVE	GitHub Issue
Medium	6.1	CVE-2015-9251	#4
Medium	6.1	CVE-2012-6708	#3
Medium	4.3	WS-2016-0090	#5

• Fixed missed es.json.stringify and some modules from iteration helpers proposal in some entry points
• Added a workaround of String#{ endsWith, startsWith } MDN polyfills bugs, #702
• Fixed .size property descriptor of Map / Set in the pure version
• Refactoring, some internal improvements

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz

Found in HEAD commit: a40cb6cb8792709af22db74e8cf95f0f9e56cedf

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Vulnerable Library - follow-redirects-1.14.1.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

• cli-service-4.5.17.tgz (Root Library)
  • webpack-dev-server-3.11.2.tgz
    • http-proxy-middleware-0.19.1.tgz
      • http-proxy-1.18.1.tgz
        • ❌ follow-redirects-1.14.1.tgz (Vulnerable Library)

Found in HEAD commit: 7352a271cd9b2dd942c262bc566cb90b88aa589e

Found in base branch: master

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution (follow-redirects): 1.14.8

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz

Found in HEAD commit: 7352a271cd9b2dd942c262bc566cb90b88aa589e

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.18

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-parse/package.json

Dependency Hierarchy:

• babel-eslint-10.1.0.tgz (Root Library)
  • resolve-1.20.0.tgz
    • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 854271c1285a357b179dc4dce834a7145f0a564e

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution: path-parse - 1.0.7